Tuesday, May 14, 2013

UserAssist Forensics (timelines, interpretation, testing, & more)


Everything I've learned on the subject of digital forensics has been a direct result of both experience and reading forensics books, blogs, and list-serv responses written by people like Ken Pryor, Harlan Carvey, Eoghan Casey, Chad Gough, Rob Lee, Lee Whitfield, Brad Garnett, David Kovar, Andrew Case, Dave Hull, Dan O'Day, Shafik Punja, Frank McClain, Cory Altheide, Joe Garcia, Hal Pomeranz, *deep breath* Troy Larson, Chad Tilbury, Andrew Hoog, Andrew Hay, cci, pr0neer, Eric Huber, Luby Novitovic, Michael Hale Ligh, Alex Bond, Jimmy Weg, Corey Harrell, Dan Farmer, Larry E. Daniel, Jamie Levy, Tom Yarrish, Andreas Schuster, Loc Nguyen, David Cowen, Didier Stevens, Joachim Metz, Ovie Carroll, David Nides, Brian Carrier, Jesse Kornblum, Patrick Olsen, and many more (I know I've forgotten some; I apologize to those I've missed). So I just wanted to start off with a quick 'thank you,' as you've all driven me to this point. Your work is very much appreciated.
----------------------------------

Before I get into the bulk of it all, let me note that UserAssist artifacts are nothing new. Didier Stevens and Harlan Carvey have written some great posts about what the UserAssist keys are and how they are laid out. Richard Drinkwater and Sploited have also posted about them. Harlan's Windows Registry Forensics also serves as a fantastic reference for not only this topic, but other registry artifacts as well; highly recommended. I will be covering the practical interpretation of the existence of these artifacts -- not their structures. So, as always, I would highly recommend that you take a look at all of the articles referenced at the bottom of this post for more in-depth information on the specifics. With that said, let's sum up what we already know about UserAssist artifacts.

UserAssist Summary
  • It is a registry key. It has values in subkeys that relate to each item executed on the system.
    • Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
    • Contains standard subkeys related to program/LNK file execution and toolbar interaction. Typical layout under UserAssist key is as follows: 
      • Windows XP
        • {5E6AB780-7743-11CF-A12B-00AA004AE837}
          • Count
        • {75048700-EF1F-11D0-9888-006097DEACF9}
          • Count
      • Windows 7
        • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
          • Count
        • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
          • Count
    • Each count subkey contains ROT-13 encoded values; each value is a separate UserAssist entry.
  • Windows XP and Windows 7 UserAssist registry values have different binary structures.
    • Win7 adds time of app interaction/focus; minor changes to time offsets
  • There are many "UEME_" prefixes in Windows XP; they are nerfed in Windows Vista and further so (almost non-existent) in Windows 7.
  • The raw "run count" starts with the number "5" instead of "0." Most UserAssist tools will convert this number to alleviate the extra run counts, though (this is fixed in Win7).
  • It keeps track of the number of times applications/applets are launched (via shortcuts, Explorer shell, control panel, etc); this influences which items are automatically listed in the Start menu (i.e. programs used most often) for each user.
    • This differs from Prefetch execution count; prefetch count is not user-specific like UserAssist count.
  • It can keep track of how a program was launched (easier to determine on WinXP).

Forensic Value (or Why It's Important)

We now know the basics of what UserAssist artifacts are...so how can we use them to our advantage? Through them, we can determine the following:
  • Frequency of program execution -- per user.
  • Last time a program was launched.
  • From whence items were being launched most often.
  • System date/time changes.
  • Evidence of programs after deletion/uninstall.
  • How long a user has interacted with a given program (Win7).
  • Evidence of absence. (i.e. "items were in a specific location at one time." e.g. "My Documents" folder is empty...but was launched 224 times)
That last bullet is oddly specific because, well, I ran into that on a case recently. I was able to use information from the UserAssist key to determine that a [now empty] My Documents folder was opened 200+ times and was launched immediately before file copy activity and system cleaning/wiping. Couple this with shellbag artifacts showing what used to be there and the fact that the My Documents folder was not being redirected and...well, you get the point. These artifacts are valuable -- especially those found within the UserAssist key.

Pre-Testing (or What To Expect And Why)

Much of my interest and curiosity in regard to UserAssist artifacts was spawned by reviewing timelines. I had always seen red UserAssist entries in my colored timelines, but I never completely understood the forensic potential that they held. In the case above, I saw one entry in particular that confused me at the time:


This timeline entry shows the usual elements: time, artifact + type of source, type of artifact, and a [short] description of the artifact value. Since red entries suggest Program Execution and we see that the sourcetype is a UserAssist key, we shift our focus to the artifact value. To offset any confusion right of the bat, let's take a look at a more standard UserAssist timeline entry first:


We see the "UEME_" prefix followed by "RUNPATH" and then the full path to the executed program. This essentially tells us that the program, CCleaner, which is located at the given path, was run in some way at 8:13:53.

If you'd like, you could stop there...or...you could dig a little deeper to understand exactly how and why you are seeing what you're seeing. I suggest the latter. So, now that we have a little better understanding of what that value means, let's go back to our initial, confusing entry:

 
We see the familiar "UEME_" prefix and "RUNPATH." But then we see a triple colon ":::" followed by "[My Documents] VIRTUAL."  Based on our CCleaner entry, we might expect to see a full path to an executable. So what gives?

What we see above is an artifact left as a result of a user opening a Windows virtual folder (in this case, My Documents). These folders are also known as special folders. Other special folders include the Recycle Bin, My Network Places, and the like. Log2timeline is nice enough to let us know that this is a virtual folder by ending the value with "VIRTUAL."

On that note, it's important to understand what log2timeline is doing to allow you to see that "[My Documents] VIRTUAL" portion of the value. The log2timeline source tells us that when log2timeline comes across a "CSIDL" or "known folder" GUID, it will translate the GUID to its human-readable counterpart (there are many officially recognized GUIDs, and even more unofficially recognized GUIDs). To illustrate this, consider the following output from RegRipper's userassist module:

Mon Jan  7 13:48:31 2013 Z
  UEME_RUNPATH:::{450D8FBA-AD25-11D0-98A8-0800361B1103} (224)


This is the same exact data we are seeing in the timeline entry (with the added run count in parentheses); the only difference being that the {450D8FBA-AD25-11D0-98A8-0800361B1103} GUID is translated to "[My Documents] VIRTUAL" in the timeline. Of course, you will have to look up any GUIDs that do not have a name associated with them in log2timeline.

As the above example suggests, UserAssist artifacts will show up with more than just paths to executables. You will also see entries that point to certain folders and LNK files (e.g. a user double-clicking the Recycle Bin folder on the desktop; a user double-clicking a program shortcut; etc).

UserAssist Entry Variations

The above gives an example of what we'll see when we encounter a RUNPATH entry. I would argue that this kind of entry will be the most common that you will see. There are, however, some different UserAssist entries, as well. The absolute best explanation of these entry types that I have found is from Didier Stevens's UserAssist article in the first issue of Into The Boxes:
  • UEME_CTLSESSION: This entry is for the session ID, it doesn't hold data about executed programs
  • UEME_UIQCUT: Counts the programs launched via a Quick Launch menu shortcut
  • UEME_UISCUT: Counts the programs launched via a Desktop shortcut
  • UEME_RUNCPL: This entry keeps data about executed control applets (.cpl)
  • UEME_RUNPATH: This entry keeps data about executed programs
  • UEME_RUNPIDL: This entry keeps data about executed PIDLs
  • UEME_UITOOLBAR: This entry keeps data about clicks on the Windows Explorer Toolbar buttons
In my experience, the RUNPATH, RUNCPL, and RUNPIDL entries serve as the most useful. We'll see some examples of what causes each of these entries in the following section.


Testing (or How It Really Looks In Practice)

Tests were run on some of the more common user activities (and POC actions) to see exactly how UserAssist entries are triggered. The 13 scenarios below illustrate how UserAssist entries look both in the registry and in timelines after a given user action is performed. Note that the applications used are merely examples and can be substituted with countless others.



Action #1: Click Internet Explorer via Start Menu

We see a virtual folder for the default internet browser along with the Internet Explorer executable

Parsed registry UserAssist entries:
    UEME_RUNPIDL:::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} (1)
    UEME_RUNPATH:C:\Program Files\Internet Explorer\iexplore.exe (1)
    UEME_RUNPATH (6)
    UEME_RUNPIDL (3)



Action #2: CMD.exe via Start Menu > Run... dialog

Path to cmd.exe after being typed into Run... dialog

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\WINDOWS\system32\cmd.exe (1)
    UEME_RUNPATH (3)



Action #3: CCleaner Run via Shortcut on Desktop (Double-click)

LNK file from desktop with full path to exe. Also UISCUT (desktop shortcut) entry

Parsed registry UserAssist entries:
    UEME_RUNPATH:CCleaner.lnk (1)
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPATH (4)
    UEME_UISCUT (1)



Action #4: CCleaner Run Directly via Program Files or Start Menu > Run... dialog

Note entries around UserAssist entries (MUICache for first launch; RunMRU for text typed into run dialog)

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPATH (3)



Action #5: Right-click Recycle Bin > "Open CCleaner..." or "Run CCleaner..."

Note special case: "ccleaner.exe" is lowercase when launched via right-click of Recycle Bin

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\Program Files\CCleaner\ccleaner.exe (1)
    UEME_RUNPATH (3)



Action #6: Double-click Recycle Bin Icon on Desktop

Note virtual folder for Recycle Bin via desktop icon

Parsed registry UserAssist entries:
    UEME_RUNPATH:::{645FF040-5081-101B-9F08-00AA002F954E} (1)
    UEME_RUNPATH (3)
    UEME_UISCUT (1)



Action #7: Double-click Time in Task Bar

Note the RUNCPL, as this is a control panel item. Can determine potential time change.

Parsed registry UserAssist entries:
    UEME_RUNCPL:timedate.cpl (1)
    UEME_RUNCPL (1)



Action #8: Open CCleaner via Start Menu > All Programs

Note %csidl2%. This shows when navigating through All Programs in Start Menu. Shortcut must ultimately be clicked in order to see this; simply hovering over it will not cause an entry.

Parsed registry UserAssist entries:
    UEME_RUNPIDL:%csidl2%\CCleaner\CCleaner.lnk (1)
    UEME_RUNPIDL:%csidl2%\CCleaner (1)
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPATH (3)
    UEME_RUNPIDL (3)



Action #9: Run CCleaner via Start Menu Item (pinned or MRU Start Menu item)

Note full path to LNK file

Parsed registry UserAssist entries:
    UEME_RUNPATH:C:\Program Files\CCleaner\CCleaner.exe (1)
    UEME_RUNPIDL:C:\Documents and Settings\All Users\Desktop\CCleaner.lnk (1)
    UEME_RUNPATH (3)
    UEME_RUNPIDL (3)



Action #10: Right-click Desktop > Properties

Another control panel item
Parsed registry UserAssist entries:
    UEME_RUNCPL:desk.cpl (1)
    UEME_RUNCPL (1)



Action #11: Double-click My Documents folder on Desktop (after "show desktop icons" enabled via Properties)
Note virtual folder and surrounding shellbags entry

Parsed registry UserAssist entries:
    UEME_RUNPATH:::{450D8FBA-AD25-11D0-98A8-0800361B1103} (1)
    UEME_RUNPATH (4)



Action #12: Click Once, Press Enter for My Computer icon on Desktop

Once again, note virtual folder
 
Parsed registry UserAssist entries:
    UEME_RUNPATH:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} (1)
    UEME_RUNPATH (3)
    UEME_UISCUT (5)



Action #13: Wordpad launched via QuickLaunch Toolbar

Note UIQCUT entry. RUNPATH entry trigger was sporadic (would NOT show for CCleaner)

Parsed registry UserAssist entries:
    UEME_UIQCUT (1)
    UEME_RUNPATH (2)
    UEME_RUNPATH:C:\Program Files\Windows NT\Accessories\wordpad.exe (1)

**This list is NOT exhaustive, but gives a solid base for what you'll see when analyzing UserAssist entries.


Caveats

It is important to note, at this point, that the above focuses on analyzing Windows XP machines. One of the [unfortunate] modifications that came with Windows 7 was the removal of [almost all of the] "UEME_" prefixes in UserAssist entries. Why is this unfortunate? Because it is this part of the value that tells us how the program was launched.

Not only that, but the binary structure of the UserAssist values have changed. Didier Stevens talks about this at length in his article here.

There are limits to what we can conclude from UserAssist entries. For example, consider this entry:



As we have learned from testing, the above entry can mean many different things without context. It could mean that the user launched the program:
  • from the "Run" dialog box in the Start Menu
  • by double-clicking the .exe in the full path
  • by selecting the program from Start Menu > All Programs
  • by selecting the program from a pinned/MRU Start Menu icon

We must look at the other entries that come with this entry so that we can further determine how it was launched.
  • If this was the ONLY UserAssist entry that was updated at 8:13:53, we can rule out the "Start > All Programs" and "pinned/MRU Start Menu icon" possibilities, as those will show more than just this entry (i.e. they will come with an additional RUNPIDL entry).
Another thing to note would be that you will only see the latest time a program was run for each way it is run, as the embedded time in each appropriate entry will be updated/overwritten every time you run said program. All hope is not lost, however. I've had clients ask about how many times a given program was run since X date, and UserAssist entries have helped in confirming that a program has been run "at least n times" by considering the following:
  • Programs run in different ways will leave artifacts with different times attached to them (e.g. run once from the Start Menu and once from an icon on the desktop)
  • Restore Points and Volume Shadow Copies hold old NTUSER.DAT files, which can be parsed to see the latest UserAssist entry times at the time of the RP/VSC creation (log2timeline will parse RPs for you, and by modifying l2t plugins, as Corey Harrell does, you can create VSC timelines).
    • you can also use the RP/VSC run counts for each entry and diff them against the current NTUSER.DAT to find how many times a program was run in a given date range.

Further Research

UserAssist artifacts have been reliable evidence sources in forensic investigations for quite some time now. However, that does not mean that they have been solved in full. The Windows 7 (and potentially Windows 8?) UserAssist binary structure introduced some new items -- some that have yet to be reversed. As Didier Stevens has stated, there is still more work to be done. Despite this, there is much we can gather from these artifacts.

While UserAssist artifacts will show us some pretty valuable information, one must not forget about the significance of surrounding artifacts; looking at UserAssist entries alone will not cut it in performing a quality investigation; the more context you have, the better you will understand what a given artifact is telling you.

As for future analysis, I encourage people to test UserAssist behavior and to understand what the artifacts themselves mean. Understanding breeds correct conclusions in investigations. Interpreting things incorrectly could have dire consequences, as well. The only way to know that you're doing something right is to test it. Remember: never trust what you're seeing at face value. Test, test, and test again.


-Dan (@4n6k)


References
1. UserAssist Utility (by Didier Stevens)
2. SANS Forensic Artifact 6: UserAssist (by Sploited)
3. ForensicArtifacts UserAssist (by Matt)
4. Windows 7 UserAssist Registry Keys - Into The Boxes (by Didier Stevens)
5. CLSID List (Windows Class Identifiers)
6. Windows Registry Forensics (by Harlan Carvey)
7. WindowsIR UserAssist Posts (by Harlan Carvey)
8. Prefetch and User Assist (by Richard Drinkwater)
9. Colorized Supertimeline Template (by Rob Lee) 
10. KNOWNFOLDERID List (by Microsoft)
11. Known Folder GUIDs for File Dialog Custom Places (by Microsoft)
12. CLSID Key (GUID) Shortcuts List for Windows 7 (by SevenForums)
13. CLSID List (by AutoScriptIt)
14. Registry: MUICache (by ForensicArtifacts)
15. Volume Shadow Copy Timeline (by Corey Harrell) 
*Special thanks to Harlan Carvey and Kristinn Gudjonsson to answering some quick questions I had in researching this

6 comments:

Keydet89 said...

Great stuff! Thanks for sharing this!

4n6k said...

Thanks for the kind words, Harlan.

Keydet89 said...

Not at all, they're well deserved. It isn't very often that we see such thorough treatments of a subject in a blog post, and such things are great contributions to the community.

jbscarva said...

Great!!! Thanks for share with us!

Lakshmi N said...

Thanks for the writeup Dan. And thanks for sharing. Very useful for a case I am working on.

4n6k said...

@Keydet89: Agreed; it's definitely something I'd like to see more of.

@jbcarva: Thanks!

@Lakshmi N: Glad you found it useful!

Post a Comment